In my tomcat web app, I implemented anti-csrf token like this:
<form method="post" action="<%=response.encodeURL("buy")%>">
So, the URL becomes: http://10.0.0.129:8080/webapp/buy?CSRFToken=3B2D9F4ED12AB2237B690B8E3C4CD234
However, when I have a <c:forEach items="${forsales}" var="forsale">
:
<c:forEach items="${forsales}" var="forsale">
<tr>
<td align="center">${forsale.id}</td>
<td align="center"><a href="${forsale.commentUrl}">${forsale.name}</a></td>
<td align="center">${forsale.sellerid}</td>
<td align="center">${forsale.seller}</td>
<td align="center">${forsale.description}</td>
<td align="center"><fmt:formatNumber value="${forsale.price}" type="currency" /></td>
<td align="center">${forsale.stock}</td>
</tr>
</c:forEach>
How to encode <a href="${forsale.commentUrl}">
, for the link to include CSRFToken?
CodePudding user response:
Use the JSTL <c:url>
instead of scriptlets.
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<a href="<c:url value="${forsale.commentUrl}"/>">${forsale.name}</a>